From ac0f5a1ebada5cd8df1c8e6e52332cfdd4adcb02 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 20:30:23 +0200 Subject: Adding debian version 2.10.34-1+deb12u2. Signed-off-by: Daniel Baumann --- debian/patches/01_hurd_ftbfs.patch | 24 ++++++ debian/patches/02_hurd_ftbfs.patch | 25 ++++++ .../plug-ins-Additional-fixes-for-DDS-Import.patch | 53 ++++++++++++ ...s-Fix-DDS-import-regression-from-7db71cd0.patch | 99 ++++++++++++++++++++++ ...g-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch | 62 ++++++++++++++ .../plug-ins-Fix-vulnerabilities-in-file-psp.patch | 49 +++++++++++ .../plug-ins-Fix-vulnerability-in-file-psd.patch | 29 +++++++ debian/patches/series | 7 ++ 8 files changed, 348 insertions(+) create mode 100644 debian/patches/01_hurd_ftbfs.patch create mode 100644 debian/patches/02_hurd_ftbfs.patch create mode 100644 debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch create mode 100644 debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch create mode 100644 debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch create mode 100644 debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch create mode 100644 debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch create mode 100644 debian/patches/series (limited to 'debian/patches') diff --git a/debian/patches/01_hurd_ftbfs.patch b/debian/patches/01_hurd_ftbfs.patch new file mode 100644 index 0000000..087cba2 --- /dev/null +++ b/debian/patches/01_hurd_ftbfs.patch @@ -0,0 +1,24 @@ +From: Svante Signell +Date: Sun, 1 Apr 2018 17:43:04 -0400 +Subject: Define PATH_MAX to fix build on the Hurd. + +Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/424 +Applied-upstream: no +--- + libgimpbase/gimpreloc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/libgimpbase/gimpreloc.c b/libgimpbase/gimpreloc.c +index b9fa4df..8cd72f9 100644 +--- a/libgimpbase/gimpreloc.c ++++ b/libgimpbase/gimpreloc.c +@@ -27,6 +27,9 @@ + + #include "gimpreloc.h" + ++#ifndef PATH_MAX ++#define PATH_MAX 4096 ++#endif + + /* + * Find the canonical filename of the executable. Returns the filename diff --git a/debian/patches/02_hurd_ftbfs.patch b/debian/patches/02_hurd_ftbfs.patch new file mode 100644 index 0000000..f4c1fc7 --- /dev/null +++ b/debian/patches/02_hurd_ftbfs.patch @@ -0,0 +1,25 @@ +From: Svante Signell +Date: Tue, 6 Aug 2019 21:04:22 +0200 +Subject: qbist: Define PATH_MAX on Hurd + +Bug-Debian: https://bugs.debian.org/934077 +Forwarded: https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/424 +Applied-upstream: no +--- + plug-ins/common/qbist.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/plug-ins/common/qbist.c b/plug-ins/common/qbist.c +index f8f94d4..6f1b582 100644 +--- a/plug-ins/common/qbist.c ++++ b/plug-ins/common/qbist.c +@@ -38,6 +38,9 @@ + + #include "libgimp/stdplugins-intl.h" + ++#ifndef PATH_MAX ++#define PATH_MAX 4096 ++#endif + + /** qbist renderer ***********************************************************/ + diff --git a/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch new file mode 100644 index 0000000..b0b45cc --- /dev/null +++ b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch @@ -0,0 +1,53 @@ +From: Alx Sa +Date: Sat, 28 Oct 2023 21:44:51 +0000 +Subject: plug-ins: Additional fixes for DDS Import +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441 +Bug-Debian: https://bugs.debian.org/1055984 + +@Wormnest noted remaining regressions after 8faad92e. +The second fread() only runs if the DDSD_PITCH flag is set, +so the error handling check should also be conditional. +Additionally, the ZDI-CAN-22093 exploit no longer runs but +still could cause a plug-in crash. This patch adds an additional +check to ensure the buffer size was within bounds. +--- + plug-ins/file-dds/ddsread.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c +index 74368d04e41a..dcb4449a9f97 100644 +--- a/plug-ins/file-dds/ddsread.c ++++ b/plug-ins/file-dds/ddsread.c +@@ -928,6 +928,7 @@ load_layer (FILE *fp, + current_position = ftell (fp); + fseek (fp, 0L, SEEK_END); + file_size = ftell (fp); ++ fseek (fp, 0, SEEK_SET); + fseek (fp, current_position, SEEK_SET); + + if (width < 1) width = 1; +@@ -1033,7 +1034,8 @@ load_layer (FILE *fp, + size *= 16; + } + +- if (size > (file_size - current_position)) ++ if (size > (file_size - current_position) || ++ size > hdr->pitch_or_linsize) + { + g_message ("Requested data exceeds size of file.\n"); + return 0; +@@ -1078,7 +1080,9 @@ load_layer (FILE *fp, + } + + current_position = ftell (fp); +- if ((width * d->bpp) > (file_size - current_position)) ++ if ((hdr->flags & DDSD_PITCH) && ++ ((width * d->bpp) > (file_size - current_position) || ++ (width * d->bpp) > hdr->pitch_or_linsize)) + { + g_message ("Requested data exceeds size of file.\n"); + return 0; +-- +2.42.0 + diff --git a/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch new file mode 100644 index 0000000..d6f2776 --- /dev/null +++ b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch @@ -0,0 +1,99 @@ +From: Alx Sa +Date: Fri, 27 Oct 2023 22:04:48 +0000 +Subject: plug-ins: Fix DDS import regression from 7db71cd0 +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441 +Bug-Debian: https://bugs.debian.org/1055984 + +@Wormnest pointed out that compressed files are likely smaller than +width * height * bps, so our check to prevent ZDI-CAN-22093 +also caught valid files. +The size check is removed from load_image () and moved to load_layer () +before the two fread() functions, as we know exactly how much we'll +try to read at that point. +(Backport of 8faad92e) +--- + plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++---------- + 1 file changed, 29 insertions(+), 10 deletions(-) + +diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c +index 98e122de8aff..74368d04e41a 100644 +--- a/plug-ins/file-dds/ddsread.c ++++ b/plug-ins/file-dds/ddsread.c +@@ -191,16 +191,6 @@ read_dds (gchar *filename, + } + } + +- /* verify header information is accurate */ +- if (hdr.depth < 1 || +- (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) || +- (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr)))) +- { +- fclose (fp); +- g_message ("Invalid or corrupted DDS header\n"); +- return GIMP_PDB_EXECUTION_ERROR; +- } +- + if (hdr.pixelfmt.flags & DDPF_FOURCC) + { + /* fourcc is dXt* or rXgb */ +@@ -310,6 +300,15 @@ read_dds (gchar *filename, + precision = GIMP_PRECISION_U8_GAMMA; + } + ++ /* verify header information is accurate */ ++ if (d.bpp < 1 || ++ (hdr.pitch_or_linsize > (file_size - sizeof (hdr)))) ++ { ++ fclose (fp); ++ g_message ("Invalid or corrupted DDS header\n"); ++ return GIMP_PDB_EXECUTION_ERROR; ++ } ++ + image = gimp_image_new_with_precision (hdr.width, hdr.height, type, precision); + + if (image == -1) +@@ -923,6 +922,13 @@ load_layer (FILE *fp, + unsigned int size = hdr->pitch_or_linsize >> (2 * level); + unsigned int layerw; + int format = DDS_COMPRESS_NONE; ++ gsize file_size; ++ gsize current_position; ++ ++ current_position = ftell (fp); ++ fseek (fp, 0L, SEEK_END); ++ file_size = ftell (fp); ++ fseek (fp, current_position, SEEK_SET); + + if (width < 1) width = 1; + if (height < 1) height = 1; +@@ -1027,6 +1033,12 @@ load_layer (FILE *fp, + size *= 16; + } + ++ if (size > (file_size - current_position)) ++ { ++ g_message ("Requested data exceeds size of file.\n"); ++ return 0; ++ } ++ + if ((hdr->flags & DDSD_LINEARSIZE) && + !fread (buf, size, 1, fp)) + { +@@ -1065,6 +1077,13 @@ load_layer (FILE *fp, + gimp_progress_update ((double)y / (double)hdr->height); + } + ++ current_position = ftell (fp); ++ if ((width * d->bpp) > (file_size - current_position)) ++ { ++ g_message ("Requested data exceeds size of file.\n"); ++ return 0; ++ } ++ + if ((hdr->flags & DDSD_PITCH) && + !fread (buf, width * d->bpp, 1, fp)) + { +-- +2.42.0 + diff --git a/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch new file mode 100644 index 0000000..c5ae876 --- /dev/null +++ b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch @@ -0,0 +1,62 @@ +From: Alx Sa +Date: Sun, 1 Oct 2023 17:54:08 +0000 +Subject: plug-ins: Fix DDS vulnerability (ZDI-CAN-22093) +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441 +Bug-Debian: https://bugs.debian.org/1055984 + +Resolves #10069 + +Currently, the DDS header information for the width, height, and bytes per scan line +are read in and assumed to be correct. As these values are used for memory allocation +and reading, it would be good to verify they do not exceed the file size. + +This patch adds a condition after the header is read in to verify those values. If they exceed +the file size (mins an offset), the file is not read in and an error message is shown. +--- + plug-ins/file-dds/ddsread.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c +index a8eb8b8ad9f3..98e122de8aff 100644 +--- a/plug-ins/file-dds/ddsread.c ++++ b/plug-ins/file-dds/ddsread.c +@@ -109,6 +109,7 @@ read_dds (gchar *filename, + guchar *pixels; + gchar *tmp; + FILE *fp; ++ gsize file_size; + dds_header_t hdr; + dds_header_dx10_t dx10hdr; + dds_load_info_t d; +@@ -130,6 +131,10 @@ read_dds (gchar *filename, + return GIMP_PDB_EXECUTION_ERROR; + } + ++ fseek (fp, 0L, SEEK_END); ++ file_size = ftell (fp); ++ fseek (fp, 0, SEEK_SET); ++ + if (strrchr (filename, '/')) + tmp = g_strdup_printf ("Loading %s:", strrchr (filename, '/') + 1); + else +@@ -186,6 +191,16 @@ read_dds (gchar *filename, + } + } + ++ /* verify header information is accurate */ ++ if (hdr.depth < 1 || ++ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) || ++ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr)))) ++ { ++ fclose (fp); ++ g_message ("Invalid or corrupted DDS header\n"); ++ return GIMP_PDB_EXECUTION_ERROR; ++ } ++ + if (hdr.pixelfmt.flags & DDPF_FOURCC) + { + /* fourcc is dXt* or rXgb */ +-- +2.42.0 + diff --git a/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch new file mode 100644 index 0000000..3f32a28 --- /dev/null +++ b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch @@ -0,0 +1,49 @@ +From: Alx Sa +Date: Sat, 23 Sep 2023 20:40:18 +0000 +Subject: plug-ins: Fix vulnerabilities in file-psp +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44444 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44443 +Bug-Debian: https://bugs.debian.org/1055984 + +Backports commits e1bfd871 and 96f536a3 +from master +--- + plug-ins/common/file-psp.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c +index c0f3480641c2..6a6b93d0cde7 100644 +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -1128,8 +1128,17 @@ read_color_block (FILE *f, + } + + color_palette_entries = GUINT32_FROM_LE (entry_count); ++ /* TODO: GIMP currently only supports a maximum of 256 colors ++ * in an indexed image. If this changes, we can change this check */ ++ if (color_palette_entries > 256) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Error: Unsupported palette size")); ++ return -1; ++ } ++ + /* psp color palette entries are stored as RGBA so 4 bytes per entry +- where the fourth bytes is always zero */ ++ * where the fourth bytes is always zero */ + pal_size = color_palette_entries * 4; + color_palette = g_malloc (pal_size); + if (fread (color_palette, pal_size, 1, f) < 1) +@@ -1498,7 +1507,7 @@ read_channel_data (FILE *f, + else + endq = q + line_width * height; + +- buf = g_malloc (127); ++ buf = g_malloc (128); + while (q < endq) + { + fread (&runcount, 1, 1, f); +-- +2.42.0 + diff --git a/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch b/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch new file mode 100644 index 0000000..a6ba842 --- /dev/null +++ b/debian/patches/plug-ins-Fix-vulnerability-in-file-psd.patch @@ -0,0 +1,29 @@ +From: Alx Sa +Date: Fri, 29 Sep 2023 20:39:29 +0000 +Subject: plug-ins: Fix vulnerability in file-psd +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44442 +Bug-Debian: https://bugs.debian.org/1055984 + +Resolves #10101. +This patch adds a missing break statement after an error condition +is detected to prevent the code from continuing afterwards. +--- + plug-ins/file-psd/psd-util.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/plug-ins/file-psd/psd-util.c b/plug-ins/file-psd/psd-util.c +index 1eccdd640e1c..34b442dc4966 100644 +--- a/plug-ins/file-psd/psd-util.c ++++ b/plug-ins/file-psd/psd-util.c +@@ -518,6 +518,7 @@ decode_packbits (const gchar *src, + { + IFDBG(2) g_debug ("Overrun in packbits replicate of %d chars", n - unpack_left); + error_code = 2; ++ break; + } + memset (dst, *src, n); + src++; +-- +2.42.0 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..899cd95 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,7 @@ +01_hurd_ftbfs.patch +02_hurd_ftbfs.patch +plug-ins-Fix-vulnerabilities-in-file-psp.patch +plug-ins-Fix-vulnerability-in-file-psd.patch +plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch +plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch +plug-ins-Additional-fixes-for-DDS-Import.patch -- cgit v1.2.3